1. Introduction

Voting is the foundation of a democratic system of
government, whether the system uses direct or representative governance. The
heart of voting is trust that each vote is recorded and tallied with accuracy
and impartiality. There is no shortage of historical examples of attempts to
undermine the integrity of electoral systems. The paper and mechanical systems
we use today, although far from perfect, are built upon literally hundreds of
years of actual experience.

There is immense pressure to replace our "dated"
paper and mechanical systems with computerized systems. There are many reasons
why such systems are attractive. These reasons include, cost, speed of voting
and tabulation, elimination of ambiguity from things like "hanging
chads," and a belated recognition that many of our traditional systems are
not well suited for use by citizens with physical impairments.

However, electronic voting brings a new set of risks and
drawbacks as well as advantages.In response to the problems and opportunities of electronic voting, the
Open Voting Consortium was established.

The Open Voting Consortium (OVC) is creating an open
source, trustworthy, cost effective, voter verifiable voting system using open
source software components on industry standard computers. A primary element of
this Open Voting system is the use of software through which the voter creates
a printed paper ballot containing his or
her choices. Before casting his or her ballot the voter may use other,
independently programmed, computers to verify that the ballot properly reflects
the voter's choices. The voter may also visually inspect the text printed on
the paper ballot. The paper ballot is cast by placing it into a ballot box.
Once cast, that paper ballot is the authoritative record of the voter's choices
for the election and for any recount of that election. Open Voting ballots are
machine-readable and may be tabulated (and re-tabulated in the case of a
recount) either by computer or by hand.

Open Voting systems can be engineered to accommodate the
special needs of those who have physical impairments, or limited reading
ability.

Many of us today have come to trust many of our financial
transactions to ATMs (automatic teller machines). The push for electronic
voting machines has benefited from that faith in ATMs. However, we are starting
to learn that that faith is unwarranted.

First, ATM machines do fail and are often attacked. Those
who operate ATMs usually consider the loss rate to be a proprietary secret.
Banks are well versed in the actuarial arts and they build into their financial
plans various means to cover the losses that do occur. In more crude terms,
it's only money.

Second, voting machines carry a more precious
burden — there is no way to buy insurance or to set aside a
contingency fund to replace a broken or tampered election.

There are several areas of concern regarding the new
generation of computerized voting machines:

ŠNo means for the voter to verify that his or her votes
have been tallied properly.

ŠNo means outside of the memories of the voting machines
themselves to audit or recount the votes.

ŠLack of ability to audit the quality of the software.
Fortunately the widespread belief that "computers are always right"
is fading. Our individual experiences with error-ridden software on personal
computers and consumer products (e.g., the BMW 745i[1]),
software errors by even the best-of-the-best (e.g., NASA and the loss of the Mars Climate
Orbiter[2]), and the
possibility that intentional software bugs can be hidden so deeply as to be
virtually invisible (Ken Thompson's famous 1984 paper — Reflections on Trusting Trust[3])
have all combined to teach us that we should not trust software until that
trust has been well earned. And even then, we ought not to be surprised if
unsuspected flaws arise.

ŠVulnerability of the machines or of their supporting
infrastructures to intentional attack or inadvertent errors.

The companies that produce voting machines have poured
gasoline onto the smoldering embers of concern. Some of these products are
built on Microsoft operating systems — operating systems that have a
well-earned reputation for being penetrable and unsecure.[4]
And most of these companies claim that their systems are full of trade secrets
and proprietary information and that, as a consequence, their internal workings
may not be inspected by the public. In addition, these companies have
frequently displayed a degree of hostility (in some cases, the hostility took
the form of lawsuits[5]) against
those who are concerned about the integrity of these products. And finally,
their systems have “vulnerabilities [that] do show incompetence” and were built
by “programmers [who] simply don’t know how to design a secure system.”[6]
There is a widespread perception that these companies are more concerned about
profits than about fair and trustworthy elections.

The Help America Vote Act of 2002[7]was passed into law to modernize voting equipment as
a result of the 2000 US Presidential election and the problems observed in
Florida.[8]
The Federal Election Commission (FEC) has issued a set of Voting System
Standards (VSS)[9]
that serve as a model of functional requirements that elections systems must
meet before they can be certified for use in an election. The next section
discusses the existing voting machines that meet those standards. Section 3
considers the rationale for an accessible voter-verifiable paper ballot. Section
4 is a description of the Open Voting Consortium architecture for the polling
place. Section 5 mentions the current state of the system and next steps for
its development. Conclusion, acknowledgements, and references follow.

2. OVC System Description

The OVC system will be very much like a traditional system
in which the voter enters the polling place, marks his or her choices onto a
paper ballot, and inserts the ballot into a ballot box. Our design applies
computer technology to that traditional system. However, unlike some of the
other computerized voting systems that change the basic nature of the
traditional system, our design applies computer technology only in a limited
and conservative way.

The OVC design preserves the paper ballot. However, under
the OVC design the voter marks the ballot using a computerized voting station
rather than a pencil or colored marker. The ballot is printed in plain text
that the voter can read. Voters have the opportunity to inspect the ballot to
ensure that it properly reflects their choices.

The OVC design will preserve the ballot box. Voters must
insert their paper ballots into the ballot box. The OVC ballots will contain a
barcode in addition to the plain text. This barcode makes it easy for the poll
workers to count the ballots[10]
when the ballot box is opened.

The OVC design will be a voter-verified voting system. The
core difference between this and other systems, such as DRE equipped with
printers, is that in the OVC design the paper ballot is the actual ballot; information
that might be recorded in computer memories or on computer media is used only
for security, error-detection, fraud detection/prevention, and auditing.

A group led by Avi Rubin and Dan Wallach analyzed the
Diebold AccuVote TS DRE voting machine and found numerous flaws.[11]
SAIC was commissioned by the state of Maryland to analyze the Diebold voting
system and found “[t]he system, as implemented in policy, procedure, and
technology, is at high risk of compromise.”[12]
Based on these reports, the California Secretary of State’s office established
security procedures for DRE voting machines.[13]
Diebold was then found to have used uncertified software in 17 counties in
California.[14] The
California Secretary of State then decertified the Diebold and all other DREs
on April 30, 2004.[15]

ES&S
iVotronic is a poll-worker-activated, multilingual touch screen system that
records votes on internal flash memory. A poll worker uses a cartridge-like
device called a Personal Electronic Ballot (PEB) to turn the machine on and
enable voting. Voters first choose their ballot language and then make their
selections via a touch screen. When the polls close, poll workers read summary
data from each machine onto the PEB via infrared. The PEBs are then transported
to election headquarters or their contents transmitted via a computer network.

In September 2002
in Florida, a spot check of iVotronic machines revealed several precincts where
hundreds of voters had only one or even no selections chosen the their ballots
cast on Election Day and vote totals produced by the main and backup system did
not agree.[16] In October 2002 in Texas, several people
reported that their votes registered for a different candidate on screen and,
in fact, some votes cast for Republicans were counted for Democrats.[17] In November 2002, two early-voting
locations in Wake County, North Carolina (Raleigh) failed to record 436 ballots
due to a problem in the iVotronics’ firmware.[18]

Hart’s eSlate is
a voter-activated multilingual voting system where the voter turns a selector
wheel and set of buttons to indicate their votes. The eSlate terminals are
connected via daisy-chained serial cable to a central controller, the Judges’
Booth Controller (JBC), which provides power, vote activation, and vote storage
for up to twelve eSlate terminals. A poll worker issues a 4-digit PIN to the
voter using the JBC. The voter enters this PIN on an eSlate and votes using its
selector wheel and buttons. Once the vote is cast, the vote is transmitted via
a cable to the JBC and stored in flash memory on the JBC’s Mobile Ballot Box
(MBB). The MBB is then either physically transported to election headquarters
or its contents transmitted via computer network.

In November 2003,
poll workers in Harris County, Texas, confused by the system’s complexity,
could not get the machines to work properly and had been assigning the wrong
ballots to voters using the JBC.[19] In February 2004 in Virginia, voters had to
cast paper ballots when the JBC used at one precinct “fried,” rendering all the
eSlate machines unusable.[20] In March 2004 in Orange County, California,
hundreds of voters were turned away when one eSlate machine broke down.[21] At the same time in California, poll
workers incorrectly assigned ballots from different precincts to their voters
and approximately 7000 voters cast ballots for the incorrect precinct.[22]

The Sequoia AVC
Edge is a voter-activated multilingual touch screen system that records votes
on flash memory. Its operation is very similar to the Diebold AccuVote-TS
described above.

In March 2002 in
Palm Beach County, Florida, the Edge machines froze up when voters selected
their ballot language and other reports indicate votes counted for the wrong
candidate.[23] As well, 15 PCMCIA cards were temporarily
lost and the central system would not report the results and in a very close
race many ballots were blank.[24] In April 2002, in Hillsborough County,
Florida, one precinct could not transfer data on 24 out of 26 PCMCIA cards;
results were faxed and entered in by hand.[25] In March 2003, a similar problem plagued
PCMCIA cards.[26] In November 2002, in Bernalillo County, New
Mexico, 48,000 people voted early, but no race showed more than 36,000 votes
due to a software bug.[27] In June 2004, in Morris County New Jersey,
the central tabulation system read only zeros from the PCMCIA cards.[28]

Other DRE vendors are proposing to add printers to their
DREs.[29]
AccuPoll has an Electronic Voting System with a voter-verified paper audit
trail[30]
and Sequoia Voting Systems is marketing optional voter-verified paper record
printers for their DREs.[31]
The state of Nevada used these VeriVote printers in the 2004 primary and
presidential elections.[32]
Although some predicted that the printers would fail or cause long lines,
“[t]he primary election was free of serious problems that have embarrassed
registrars in Florida, California, Maryland and other states with touchscreen
machines.”[33]The Avante Vote-Trakker is
a DRE with a voter-verified paper audit trail.[34]
However, none of these systems are in wide use, and some have not even been
certified. None of them meet the current California AVVPAT standards.

There are several problems with the use of paper ballots
that are optically scanned with mark/sense-type tabulation systems. The paper
ballot is not accessible to the visually impaired or reading impaired. And the
paper ballot must be available in multiple languages as required by the
jurisdiction. The use of paper does enable recounts, but potentially suffers
from the problems of overvotes, undervotes, and improper changes to ballots
(including extraneous marks, which would void the ballot).

3.6.1 AutoMark

The AutoMark[35]
system is an Electronic Ballot Marker (EBM) that addresses accessibility
problems by using an interface comparable to a Direct Recording Electronic
voting machine. Similarly, it can provide support for multiple languages and
limit overvotes and undervotes through its user interface. AutoMark uses
ballots identical to those also used for manually-marked optical-scan systems.
AutoMark effectively replaces the pen in such systems with a marking device
that supports multiple languages and detects overvotes and undervotes. So there
is the question of whether the printed ballots are in each required language,
so that a non-English-speaking voter can still verify his or her ballot. It is
possible to have a device with accessible output modes that reads the voter’s
marked choices (like that of OVC system described in Section 5.1.7), so that
the voter may verify that the ballot is marked correctly, but that is not
currently part of the AutoMark system. A key benefit of the AutoMark system is
that the same optical scan tabulation system can be used for ballots cast in
polling places, absentee ballots, and provisional ballots. But they neither
maintain an electronic audit trail nor use digital signatures to detect ballot
stuffing.

However, the optical scan tabulating systems are also
potential sources of error. They must be calibrated to properly distinguish the
ballot markings. For example, during the March 2004 primary election in Napa
County, California, “optical scan machines from Sequoia Voting Systems failed
to record voters’ ballot marks on the paper copy…. Apparently, the optical scan
machines can read carbon-based ink but not gel pens.”[36]
There is also the potential that the vote tabulation software could have errors
or have been fraudulently modified.

3.6.2 Populex

The Populex[37]
system is an Electronic Ballot Printer (EBP) that also addresses accessibility
by using an interface comparable to a Direct Recording Electronic Voting
Machine. The output is a small printed ballot with a barcode that contains the
voter’s ballot selections. Numbers are printed on the bottom of the ballot so
that the voter can read the choices, but these numbers must be matched to a
chart (e.g., on the wall) in the precinct. Because the ballots are paper, a
provisional ballot could be placed in an envelope for subsequently determining
whether the ballot should be counted. However, absentee ballots must be counted
using a different technology, unless the absentee voter uses a Populex system.

3.7 DREs used internationally

Various countries around the world have chosen to use DRE
systems. The Dutch-based NEDAP[38]
system is used in the Netherlands, France, Germany, the United Kingdom and
Ireland but has been criticized for its flaws.[39]
The voting machine developed and used recently in India[40]
is very simple and lacks features like disabled and multilingual access.
Venezuela chose VVPAT-enabled Smartmatic[41]
DREs on which to conduct its recent referendum on the President; there were
allegations of fraud, but the “audit concluded the voting machines did
accurately reflect the intent of the voters, as evidenced by a recount of the
paper ballots in a sample of the machines.”[42]

4. Why an Accessible Voter-Verifiable Paper Ballot

Many computer and other experts have joinedVerifiedVoting.org’s call for “the use
of voter-verified paper ballots (VVPBs) for all elections in the United States,
so voters can inspect individual permanent records of their ballots before they
are cast and so meaningful recounts may be conducted. We also insist that electronic
voting equipment and software be open to public scrutiny and that random,
surprise recounts be conducted on a regular basis to audit election equipment.”[43]

4.1 Paper Receipts vs. Paper Ballots

We speak of OVC creating a paper ballot, not a receipt, nor simply a "paper
trail." That is, for OVC machines, the printout from a voting station is
the primary and official record of votes cast by a voter. Electronic records
may be used for generating preliminary results more rapidly or for auditing purposes,
but the paper ballot is the actual official vote document counted.[44]

Some writers discuss producing a paper receipt, which a
voter might carry home with them, as they do an ATM receipt. There are two
significant problems with this approach. In the first place, if we suppose that
a voting station might have been tampered with and/or simply contain a
programming error, it is not a great jump to imagine that it may print out a
record that differs from what it records electronically. A receipt is a
"feel good" approach that fails to correct the underlying flaws of
DREs.

But the second problem with receipts is even more
fundamental. A voting receipt that can be carried away by a voter enables vote
buying and vote coercion. An interested third party—even someone as seemingly
innocuous as an overbearing family member—could demand to see a receipt
for voting in a manner desired. With OVC systems, ballots must be placed into a
sealed ballot box to count as votes. If a voter leaves with an uncast ballot,
even if she went through the motions of printing it at a vote station, that
simply does not represent a vote that may be "proven" to a third
party.

What some vendors refer to as a paper trail suffers from a
weakness similar to the first problem paper receipts suffer. Under some such
models, a DRE voting station might print out a summary of votes cast at the end
of the day (or at some other interval). But such a printout is also just a
"feel good" measure. If a machine software or hardware can be flawed
out of malice or error, it can very well print a tally that fails to accurately
reflect the votes cast on it. It is not paper that is crucial, but voter-verifiability.

4.2 Paper Audit Trail Under Glass vs. Paper Ballot

While "paper audit trail under glass" does
indeed do a pretty good job of preventing ballot box stuffing with forged
physical ballots, this approach is not the only—nor even the
best—technique to accomplish this goal. We plan for OVC systems to
incorporate cryptographic signatures and precinct-level customization of
ballots that can convincingly prove a ballot is produced on authorized
machines, at the polling place, rather than forged elsewhere. For example, a
simple customization of ballots is a variation of the page position of our
ballot watermarks in a manner that a tamperer cannot produce in advance.
Surprisingly much information can be subtly coded by moving two background
images a few millimeters in various directions. Another option is to encode a
cryptographic signature within the barcode on a ballot—in a manner that
can be mathematically proven not to disclose anything about the individual
voter who cast that vote, but simultaneously that cannot be forged without
knowledge of a secret key, which is known only to that electronic voting
machine.

There are several narrowly technical problems with “paper
audit trail under glass” systems. A “paper audit trail under glass” system has
some extra mechanical problems with allowing rejection of incorrect paper
record; some sort of mechanism for identifying the paper record as spoiled,
perhaps through an ink mark. This approach increases the potential of physical
failure, such as paper jams.

A more significant issue for "paper audit trail under
glass" systems is their failure to provide the quality of accessibility to
vision- or reading-impaired voters that OVC's design does. Sighted voters who
happen to need reading glasses, or who can read only large print or closely
held print, are likely to find “paper audit trail under glass” systems more
difficult to check than printed ballots they can physically hold. Even if these
machines add provisions for audio feedback on final ballots, users are
dependent on the very same machine to provide such audio feedback. Potentially,
a tampered-with machine could bias votes, but only for blind voters (still
perhaps enough to change close elections).In contrast, OVC positively encourages third parties to
develop software to assure the barcode encoding of votes matches the visibly
printed votes—every voter is treated equally, and all can verify ballots.

From a more sophisticated cryptology perspective, “paper
audit trail under glass” systems are likely to compromise voter anonymity in
subtle ways. One of the issues the world-class security researchers associated
with our design have considered is the possibility that sequential or
time-stamp information on ballots could be correlated with the activity of
individual voters. Even covert videotaping of the order in which voters enter a
polling place might be used for such a compromise. This problem is more serious
in those systems in which the voter-verified paper audit trail is maintained on
a continuous paper tape fed onto a take-up spool. However, on systems that cut
the audit trail into pieces, one for each voter, that ballots that fell to the
bottom of the glass bin may be visible to subsequent voters. Such potential
visibility also compromises anonymity. This analysis is just part of the threat
analysis study that we will perform in order to create a reliable, secure, and
trustworthy election system.

A far more serious problem with a voter-verified paper
audit trail is the difficulty of automated tabulation of the audit trail. This
problem is especially acute when the voter-verified paper audit trail is cut
into pieces, one for each voter. The glass bin is likely to be a mass of coiled
paper strips. While the continuous spool approach to the paper audit trail is
neater, it suffers from an anonymity problem as identified above. When the
paper audit trail can only be used in a manual tabulation process, there will
be enormous pressure to minimize its use, thereby reducing its effectiveness.
In contrast, the OVC design facilitates automated tabulation of the paper
ballots while enabling manual counting and voter-verification also. However, even
when there is an automated tabulation process of the paper ballots, it is
critical for a random sample of precincts to be manually tabulated, as a
further check on the system.

4.3 Accessible Voting

One of the key benefits of electronic voting machines is
to allow disabled voters to vote unassisted.[45]
However, as the movement for a voter-verifiable paper audit trail grows,[46]
there is a need for the paper audit trail to be accessible as well.[47]
The Open Voting Consortium’s voting system is designed to be accessible for
both entering the votes and verifying the paper ballot produced.

5. OVC System Overview

The Open Voting Consortium (OVC) is developing a PC-based
open source voting machine with an accessible voter-verified paper ballot. We
intend to use an open source operating system for the PC, such as Knoppix, a
variant of Linux that boots off of a CD. The polling place system consists of a
Voter Sign-in Station, an Electronic Voting Station, an Electronic Voting
Station with a Reading-Impaired Interface, a Ballot Verification Station, and a
Ballot Reconciliation Station. See Figure 1. In addition, there are components
at the county canvassing site that are discussed only briefly in this paper.

The OVC Precinct/Polling Place Element is intended to
provide all of the systems and procedures required for a polling place except
for voter rolls, sign-in books and the like. The OVC system will be flexible so
that it will be adaptable to applicable laws as well as local preferences.

The OVC design will accommodate polling places in which
different classes of voters, for example voters of different parties, may be
accommodated with ballots appropriate for that particular voter.

Overall design and operation of the OVC system is simplified
because the paper ballot produced by it will be the legal ballot. For example,
in the OVC design equipment failures will not be handled at the polling place
except to the extent necessary to disconnect the failed unit, seal it, and
deploy a backup unit.

The OVC design is very concerned that voters with physical
disabilities and limited reading ability are accommodated. It is anticipated
that the OVC design will contain variations of the Voting Station and Ballot
Verification Station that will be designed with user interfaces tailored to the
needs of voters with certain types of physical impairments.

The OVC design will not require substantial changes to the
workflow of a typical polling place; voters and poll workers will find that
procedures are comparable to those used in existing American polling places.

5.1.1 Voter Sign-in Station

The Voter Sign-In Station is used by the poll worker when
the voter signs in and involves giving the voter a "token." It is a
requirement that each voter cast only one vote and that the vote cast be of the
right precinct and party for the voter. The "token" authorizes the
voter to cast a ballot using one of these techniques.

ŠPre-printed
ballot stock

oOption
for scanning ballot type by EVM

ŠPoll
worker activation

ŠPer-voter
PIN (including party/precinct identifier)

ŠPer-party/precinct
token

ŠSmart
cards

The token is then used by the Electronic Voting Station
and the Electronic Voting Station with the Reading Impaired Interface to ensure
that each voter votes only once and only using the correct ballot type.

If the voter spoils a ballot, the ballot is marked spoiled
and kept for reconciliation at the Ballot Reconciliation Station, and the voter
is given a new token for voting.

In the case of a per-voter PINs or smart cards, it is imperative
that these do not personally identify the voter.

5.1.2 Electronic Voting Station

The Voting Station is the voter’s primary point of contact
with the OVC system. After the voter signs-in, a poll worker will direct the
voter to a Voting Station.

The physical appearance of the voting station will be that
of a lightweight booth with privacy curtains or walls. There will be an
integrated device—an Electronic Voting Station—containing computer,
printer, battery, and flat screen display. The display will allow touch-screen
use and will be mounted so that it may be adapted for use by voters who stand
and voters who are in wheel chairs.

The Voting Station will be designed so that setup and
teardown are easy; it is anticipated that installation will be largely an
unfold-and-plug-in operation.

The Voting Station will be tamperproof and be engineered
to endure physical abuse during shipping, deployment, and use. The Voting
Station will be designed so that it may be sealed against unauthorized access
with locks and lead/wire seals.

We are developing procedures that ensure that the correct
certified software is operating on the voting machines, from booting from a CD
rather than the hard drive, verifying checksums and hardware configurations, as
well as other means.

oThe
ballot can be read by the Ballot Verification Station and includes text in OCR
format, plus a barcode for more foolproof reading.

oA
persistent EBI storage device, such as a USB memory dongle (i.e., a USB flash
memory device) for persistently storing the EBIs until the end of the day, when
the EBIs are transferred onto the CD-R. The USB memory dongle is kept for audit
purposes.

oDevice
should be large enough not to be easily lost

oDevice
should be lockable and tamper proof when locked

oPotentially,
device could lock in the open position onto cabinet and PC and lock in the
closed position sealed and ready for removal. Device could be set to be open
only once, and on subsequent openings the device would be read only.

oMay
also have hardware private key for digitally signing the ballot.

oSecurity
enclosure that prevents tinkering with the device

5.1.3 Electronic Voting Station with Reading Impaired Interface

The Electronic Voting Station with Reading Impaired
Interface is a computer similar to the Electronic Voting Station described
above that includes auditory output of the ballot choices and selections made
and also includes additional modes of making selections suitable for the blind
or reading impaired. Whether these features are integrated to a common voting
machine with all functionality, or whether there is a separate configuration
for the disabled, is an open question. For example, additional modes of input may
be useful for those who can read printed materials, but have physical
limitations. The ideal is a universal design that accommodates all voters.

The electronic voting station for the reading impaired
produces a printed ballot that can be processed by the Ballot Verification
Station.

5.1.4 Paper Ballot

The paper ballot is generated by the Electronic Voting
Station or the Electronic Voting Station with Reading Impaired Interface. It is
the paper on which the voter’s choices are recorded. It must be “cast” in order
to be tallied during canvassing, testing, or a manual recount.

The paper ballot can easily be read by the voter so that
the voter may verify that his or her choices have been properly marked. It also
contains security markings and a barcode. The barcode encodes the user’s
choices, as expressed in the human readable portion of the ballot. The human
readable text should be in an OCR-friendly font so it is computer-readable as
well. The voter may use the Ballot Verification Station to verify that the barcode
accurately reflects their choices. The Ballot Verification Station not only
assists sight-impaired and reading-impaired voters in verifying their ballots,
but also to give any voter the assurance that the barcode on the ballot
properly mirrors their choices, as represented in the human-readable text on
the ballot.Ideally, the Ballot
Reconciliation System reads the OCR text of the ballot was well, not just the
barcode.

The barcode consists of several things:

ŠIdentifiers, such as the date (but not time), election, precinct, type of ballot, polling
machine, and random ballot ID for reconciliation against the electronic record
made by the Electronic Voting Station or the Electronic Voting Station with
Reading Impaired Interface. No information that can identify the voter is
included on the ballot.

ŠThe selections made by the voter.

ŠChecksums to detect processing errors.

ŠAdditional padding data to obscure the barcode so that
poll workers, who will be able to see the barcode (but not the textual part of
the ballot) will not be readily able to ascertain by eye what selections the
voter made.

ŠThe barcode is designed so that none of the information
in the barcode can be used to identify any voter personally.

Spoiled paper ballots are kept by the Ballot Reconciliation
System to be reconciled against Electronic Ballot Images (EBIs) produced by the
Electronic Voting Station or the Electronic Voting Station with Reading
Impaired Interface.

5.1.5 Privacy Folder

The paper ballot contains the voter’s choices in two forms:
a form that can be read by people and a barcode that expresses those choices in
a machine-readable form.

Poll workers may come in contact with the ballot should
they be asked to assist a voter or to cast the ballot into the ballot box. In
order to protect voter privacy it is desirable to minimize the chance that a
poll worker might observe the voter's ballot choices.

A privacy folder is just a standard file folder with an
edge trimmed back so that it reveals only the barcode part of a ballot. The
voter is expected to take his/her ballot from the printer of the Electronic
Voting Station or the Electronic Voting Station with Reading Impaired Interface
and place it into a privacy folder before leaving the voting booth.

The privacy folder is designed so that the voter may place
the ballot still in its folder against the scanning station of Ballot
Verification Station to hear the voter's ballot's choices spoken.

When handed the ballot by the voter, the poll worker casts
the ballot by turning the privacy folder so the ballot is face down, and then
sliding the paper ballot into the ballot box.

5.1.6 Ballot Box

This is a physically secure container, into which voters
have their paper ballots placed, in order to "cast" their votes. The
mechanical aspects of the voting box will vary from jurisdiction to
jurisdiction, depending on local laws and customs.

5.1.7 Ballot Verification Station

The Ballot Verification Station reads the ballot produced
by the Electronic Voting Station or the Electronic Voting Station with Reading
Impaired Interface and speaks (auditorily) the selections on the voter's
ballot. A count is kept of usage, including counts of consecutive usage for the
same ballot, but no permanent record is kept of which ballots are verified.

The computer boots off the CD-R, which includes the
following:

ŠThe operating system

ŠThe BVS software

ŠBallot Definition files and public keys of various
Electronic Voting Stations

ŠSound files for the ballot

ŠPersonalization

ŠStartup record

ŠNon-ballot identifying statistics on usage

It is possible for the Ballot Verification Station to have
a screen and to display the selections on the screen at the voter's option.
Such an option (enabled by the voter upon her request) would enable a voter who
can read to verify that her ballot will be read correctly for automated
tallying.

The Ballot Verification Station reads the same portion of
the paper ballot read by the Ballot Reconciliation Station, including the
barcode and, ideally, the text via OCR.

5.1.8 Ballot Reconciliation Station

The Ballot Reconciliation Station reads the paper ballots
and reconciles them against the Electronic Ballot Images (EBIs) on the CD-Rs
from the Electronic Voting Station or the Electronic Voting Station with
Reading Impaired Interface. The purpose of reconciling the paper ballots with
the electronic ballot images is to prevent ballot stuffing as well as an audit
check on the canvassing process.The process also produces the vote totals for that precinct.

The Ballot Reconciliation Station includes the following components:

ŠScanner, preferably page fed

ŠPC

ŠMonitor

ŠInput devices: keyboard, mouse

ŠPrinter

oPrints
vote totals for posting

ŠCD-R

oLike
the other CD-R; includes cumulative copy of EBIs as well as vote totals by
precinct.

ŠCD drive (not writeable)

oFor
loading the CD-R’s from the Voting Stations.

The Ballot Reconciliation System runs the Ballot
Reconciliation Procedure, which is beyond the scope of this paper.

5.1.9 Box for Spoiled Ballots

When a voter spoils a ballot, perhaps because the ballot
does not accurately reflect her preferences, the ballot is marked spoiled and
placed in a box for spoiled ballots for later reconciliation.

When a voter shows up at a polling place and does not
appear on the voting roll or the voting roll shows that the voter was sent an
absentee ballot, then the voter is allowed to vote by being given a “token” for
a provisional ballot. A distinctive smart card or a provisional “blank” ballot
or even a distinctive privacy folder is given to the voter. When the voter has
printed the provisional ballot and hands it to the poll worker, the poll worker
seals the provisional ballot in an envelope along with the details necessary to
determine whether the ballot should be counted and places the provisional ballot
in a box for provisional ballots for later reconciliation.

When an absentee ballot is received at a polling place, a
poll worker checks the identification of the person delivering it, places on
the envelope a sticker from the absentee ballot audit sheet, and places it in
the absentee ballot box.

When an absentee ballot is received by mail, a county poll
worker places on the envelope a sticker from the absentee ballot audit sheet,
and places it in the absentee ballot box. When an absentee ballot is hand
delivered at the county canvassing site, a county poll worker checks the
identification of the person delivering it, places on the envelope a sticker
from the absentee ballot audit sheet, and places it in the absentee ballot box.

The process for validating absentee ballots is comparable
to the current process, with the notable exception that the sticker must be
present on the envelope. The database record for the voter needs to be marked
to indicate an absentee ballot was cast. When a voter casts an absentee ballot
also casts a provisional ballot, the provisional ballot will not be counted.
The ballot is separated from the envelope for canvassing.

A canvassing system for absentee and provisional ballots
will be developed that reads in each optically scanned ballot to create an
electronic ballot image. These electronic ballot images are aggregated with the
scanned or reconciled versions of the electronic voting machine-printed paper
ballots.

Reports are made available by precinct for the vote totals
for the combination of absentee and provisional ballots. The number of absentee
and of provisional ballots is also made available by precinct.

6. Current Status and Next Steps

A demonstration system was shown at the Santa Clara County
Government Building in San Jose, California on April 1, 2004. This
demonstration was featured on KGO-TV and KCBS and KGO radio later that day and
described in the San Jose Mercury News that morning.[49]
On April 8, 2004, the San Jose Mercury News referred to our system in an
editorial as a “Touch Screen Holy Grail.”[50]
Further demonstrations were given at the Computers, Freedom, and Privacy
conference in Berkeley, California on April 23, 2004.[51]
Another demonstration was given at the PlaNetwork conference in San Francisco,
California on June 6, 2004.[52]
The privacy aspects of our system were presented at the Workshop on Privacy in
the Electronic Society[53]
and will appear in a book.[54]
The open source of the demonstration system can be found on Source Forge
project EVM2003.[55]

Several state colleges and the Open Voting Consortium are
currently in discussions with their respective Secretaries of States to obtain
HAVA funding to build production-quality reference versions of this system.

7. Conclusions

The Open Voting Consortium has demonstrated a voting
system based on a PC-based electronic voting machine with voter-verifiable
accessible paper ballot. We have described the design for the production system
we propose to build, based on the prototype we have built and the lessons
learned in the process. In the development of this system, we expect to enhance
the state of the art in building reliable and trustworthy computerized systems.
However, it is not merely the software and hardware components that are of
concern; the voting processes and procedures are also key to the development of
a reliable, secure, trustworthy and accessible system.

8. Acknowledgements

We acknowledge the efforts of the volunteers of the Open
Voting Consortium who contributed to the design we describe. In particular,
Alan Dechert developed much of the design and Doug Jones provided significant
insights into voting issues. Arthur Keller organized the development of the
software and arranged for the demonstrations. The demonstration software was
largely developed by Jan Kärrman, John-Paul Gignac, Anand Pillai, Eron Lloyd,
David Mertz, Laird Popkin, and Fred McLain. Karl Auerbach wrote an FAQ on which
parts of this paper is based.Amy
Pearl also contributed to the system description. Joseph Lorenzo Hall
contributed useful background. Ron Crane gave useful feedback.

Our work was inspired by Curtis Gans, Roy Saltman, Henry
Brady, Ronnie Dugger, Irwin Mann, and others who have spoken out on the need
for auditable, consistent, secure and open election administration. In the last
two years, David Dill and Bev Harris have been especially helpful. David Dill
referred several people to the OVC, and he and Bev Harris have helped the
public recognize the need for a voter-verified paper audit trail.

[10] We propose that each polling place include a Ballot
Reconciliation System (BRS) (described below) that has a sheet fed scanner for
reading the barcode. The BRS has other benefits in support of auditing the
system, also described below.

[48] Each
ballot’s barcode will be digitally signed.We use the private key for signing each ballot and the
public key verifying the signature. The key pair could be generated by the
voting machine, with the public key recorded on the CD-R and on the “test
sheet” printed at the start of a voting day and the private key never released
outside the voting machine itself.